<p>This rule raises an issue when an insecure TLS protocol version is used (ie: a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2" or
"DTLSv1.3").</p>
<h2>Noncompliant Code Example</h2>
<p><code>javax.net.ssl.SSLContext</code> library:</p>
<pre>
context = SSLContext.getInstance("TLSv1.1"); // Noncompliant
</pre>
<p><a href="https://square.github.io/okhttp/">okhttp</a> library:</p>
<pre>
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_1) // Noncompliant
      .build();
</pre>
<h2>Compliant Solution</h2>
<p><code>javax.net.ssl.SSLContext</code> library:</p>
<pre>
context = SSLContext.getInstance("TLSv1.2"); // Compliant
</pre>
<p><a href="https://square.github.io/okhttp/">okhttp</a> library:</p>
<pre>
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_2) // Compliant
      .build();
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
  </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
  Misconfiguration </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/326.html">MITRE, CWE-327</a> - Inadequate Encryption Strength </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/327.html">MITRE, CWE-326</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
  <li> <a href="https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https">Diagnosing TLS, SSL, and HTTPS</a> </li>
  <li> <a href="https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols">SSL and TLS Deployment Best
  Practices - Use secure protocols</a> </li>
</ul>

